Lab 3.0 - Static Analysis

This lab is instructor-lead.

Task 1

Analyse sample ‘gtm4183’

Step 1

Start IDA Pro

Click on ‘New’

Step 2

Select ‘gtm4183’ and open the file.

Accept all the defaults on the next screen.

Let the file load into IDA Pro

Step 3

You will see the IDA ‘graph view’ once the file has been fully loaded.

Find the function ‘start’ and double-click on it.

You should land on the function in the code view.
Take note of the start address.

Go to the ‘imports’ section and take note of all the imports that you can see listed in there.

Step 4

Exit out of IDA Pro.

Check the box that says ‘DON’T SAVE the database.

Task 2

Analyse sample grammer.exe

Repeat steps 1 and 2 from Task 1 above.

Step 3

Find out the function that is responsible for registry operations. Note down the following info in the Notes doc:

  1. Function name.
  2. Function Address.
  3. Arguments passed for creating a Key.
  4. What is the registry value that is being passed - provide the full path and value.
  5. Last function call.

Step 4

Find the function that is responsible for executing the next stage binary.

Note down the following info in the Notes doc:

  1. Function name.
  2. Function Address.
  3. File type that is executed - paste the entire line of code.
  4. The main function call that is needed for this subroutine to successfully execute.
  5. What happens if the result of this line is ‘zero’: cmp [ebp+arg_0], esi

Step 5

What are the two functions that try process injections?

Step 6

  1. Find the C2.
  2. What is the variable name for the C2 info?

You have now completed the lab.